Getting Started with OAuth 2.0

OAuth 2.0 is the go-to solution for API security, bringing authorization and delegation to modern HTTP APIs. In this course, you'll learn the fundamentals of OAuth, allowing you to architect and implement the right solution for your requirements.
Course info
Rating
(30)
Level
Intermediate
Updated
Sep 14, 2018
Duration
1h 43m
Table of contents
Description
Course info
Rating
(30)
Level
Intermediate
Updated
Sep 14, 2018
Duration
1h 43m
Description

OAuth 2.0 is the go-to solution for API security, bringing authorization and delegation to modern HTTP APIs. In this course, Getting Started with OAuth 2.0, you'll learn the fundamentals of OAuth and why it is preferred over past solutions. First, you'll explore each grant type and flow in detail, looking at their strengths and weaknesses, and when they should be used or not. Next, you'll take a close look at native applications such as mobile apps, and their unique security issues when using OAuth. Finally, you'll learn some common extensions to the OAuth protocols, such as OpenID Connect and the upcoming OAuth device flow. All of this will be covered without using any particular programming language or stack. When you're finished with this course, you will know how to integrate with any OAuth 2 authorization server and architect the right solution for you.

About the author
About the author

Scott Brady is a software developer specializing in identity and access management. Focusing on ASP.NET, Scott has increasingly found himself in undocumented territory, piecing together the facts and attempting to pass them on so that others don't have to go through the same.

More from the author
ASP.NET Core Identity Deep Dive
Intermediate
2h 31m
9 Mar 2018
ASP.NET Identity 2 Fundamentals
Intermediate
2h 28m
13 Apr 2017
Section Introduction Transcripts
Section Introduction Transcripts

Course Overview
Hi everyone, my name is Scott Brady, and welcome to my course, Getting Started with OAuth 2. 0. In this course, we are going to take a look at the OAuth 2 authorization framework and some of the work that's been happening that makes OAuth and its extensions the gold standard for API security. This course is going to be completely programming free, and it's suitable for software developers of any language or stack. We'll be taking a detailed look at API authorization as a whole, including both what OAuth aims to solve and why older methods should no longer be used. We will see OAuth grant types and when each one is suitable for usage and when they are not, how native applications such as mobile apps have their own challenges and solutions, and finally, the future of OAuth, taking a look at some of the upcoming extension specifications and how existing extensions can be used. If you're looking for a course that will allow you to understand and have a fighting chance with any OAuth implementation, then you're in the right place. This course will allow you to talk the talk and architect the right solution for you. I hope you'll join me on this journey to learn OAuth 2 and API authorization with the Getting Started with OAuth 2. 0 course, at Pluralsight.

API Security 101
Hi, my name is Scott Brady, and welcome to Getting Started with OAuth 2. 0. In this course, we'll be taking a look at the OAuth 2 authorization framework and some of the work that's been happening around it that makes OAuth and its extensions the gold standard for API authorization. In this module, we're going to take a look at the problem of API authorization, looking at how technologies have changed and how new application types have made us adapt and, in turn, create protocols such as OAuth. We're then going to take a look at past API authorization solutions because understanding why other techniques shouldn't be used anymore is just as important as understanding why we use the current solutions. If you're already familiar with why credential sharing, cookies, and API keys aren't suitable for modern applications, then feel free to skip these sections. We are then going to look at the current solution for API security, which is OAuth 2, taking a high-level look at how this protocol works and how the pieces fit together. We're then going to discuss some of the common criticisms with OAuth and see if they have any merit. In this module, we're going to keep things pretty abstract and leave the actual HTTP requests and technical details to the next module called OAuth in Detail.

OAuth in Detail
Hi, my name is Scott Brady, and welcome to the OAuth in Detail module of the Getting Started with OAuth 2. 0 course on Pluralsight. In this module, we're going to be taking an in-depth look at each of the core OAuth authorization grant types, which are the different ways to get an access token. We'll be looking at how each of these authorization flows work, when best to use them, and what mistakes to avoid. We'll also see how to handle some of this data, including the most appropriate response modes and potential error messages. I recommend that you at least watch up until the authorization code for web applications section of this module. Not only is authorization code the most common OAuth flow, but in this section, we'll be encountering a lot of core concepts for the first time, much of which are common to the other flows and will be referenced throughout the rest of this course.

Best Practices for Native Applications
Hi, my name is Scott Brady, and welcome to the Best Practices for Native Applications module of the Getting Started with OAuth 2 course on Pluralsight. In this module, we're going to be taking a focus on the unique security issues common to native applications, such as mobile and desktop apps, and how running our client applications on shared devices such as these needs its own set of OAuth specifications. We're then going to look at the PKCE mechanism for securing our native applications and how PKCE can prevent various forms of man-in-the-middle attacks. On top of all this, we're then going to review the best current practices for native applications using OAuth, as recommended by the OAuth working group, including the risks around redirect URIs and browser types.

Extending OAuth
Hi, my name is Scott Brady, and welcome to the Extending OAuth module of the Getting Started with OAuth 2 course on Pluralsight. In this module, we're going to take a look at some of the more popular OAuth extensions, as well as some new extensions that are worth knowing about when you come to integrate your next OAuth client application. These include OpenID Connect, an excellent identity layer built upon OAuth; the new OAuth metadata, allowing us to programmatically load an authorization server's configuration; the upcoming OAuth Device Flow, an upcoming specification that introduces a new authorization flow specially made for browserless and input-constrained devices; and finally, we'll look at how we can combine the SAML and OAuth protocols, bringing these two popular protocols together in a secure way.